Securing Removable Storage Devices with BitLocker To Go in Windows 7

Windows 7 is the next generation of operating system due from Microsoft and it is now set for a planned release in the final quarter of 2009 which would be just a bit shy of the three years since the release of Windows Vista.

This article series is a security overview of BitLocker and Encrypting File System (EFS) in Windows 7.

[NOTES FROM THE FIELD] – Microsoft has now released their Release Candidate for Windows 7; and at this time there is a tentative release date for Windows 7 this fall ~ October 22nd time frame.

In this third article, I will be reviewing similar details with respect to the BitLocker To Go feature of BitLocker.

An Overview of “Why” BitLocker To Go

BitLocker Drive Encryption itself is available on some versions of Windows Vista, Windows Server 2008 R2 and in some editions of Windows 7.

Using BitLocker Drive Encryption is one of the best ways to protect portable systems such as laptops from loss of data and information when the laptops themselves are lost or stolen.

The main issue with other devices such as removable hard drives and especially USB drives and other flash card type memory is that there is often data loss that results from the loss or theft of those devices.

Most specifically with USB stick and flash memory cards is that the theft is often not reported as it may be some time or possibly never that the realization occurs that the memory is not missing but perhaps stolen.

Its one thing to misplace the devices but they are still attractive from the theft angle since they are small and easily pocketed.

The memory modules storage capacity is on the increase (and flash and USB memory is now in the 64GB and 128GB ranges) and the prices are decreasing. As such we are going to see more and more of them casually left around simply because they are becoming more incidental from a cost perspective. Often the data that might be on them and the associated real value of that data is not considered with respect to leaving them casually on a counter with car keys or on the desk in a hotel and so forth as the initial consideration of the device is that “it costs under $30.00” (or something along those lines).

From the business administration and security perspective BitLocker To Go allows control over how removable storage devices are secured. Admins can force the data protection for any removable storage device locally on a system by system configuration or by leveraging settings available in Group policy.

One of the main features of BitLocker To Go is that it allows for read-only support on older versions of Windows such as Vista and Windows XP.

[NOTES FROM THE FIELD] – When a removable drive or any type of flash memory is protected with BitLocker, the BitLocker To Go Reader is copied to the drive, providing read-only access when the drive is accessed from computers running Windows Server 2008, Windows Vista, Windows XP with SP3, or Windows XP with SP2, if the user has the required password to unlock the drive.

This allows for backwards compatibility and use of the devices in read only mode on these older versions of the operating system.

Administrators running supported Windows Domains can configure settings in Group Policy that manages these settings for corporate, domain connected devices for end users.

BitLocker To Go can be setup independently without requiring that the system partition on a given system to be protected with the traditional BitLocker feature to leverage it for the removable devices.

System Requirements for BitLocker Drive Encryption

There are system requirements in order to leverage BitLocker proper and it is good go be aware of these details when you are working towards assessing the use of BitLocker To Go for your enterprise.

The quick rundown on these requirements are:

In order for BitLocker to use the system integrity check provided by the Trusted Platform Module it must have a TPM running version 1.2 otherwise BitLocker will require you to save a startup key on a removable device such as a USB flash drive.

Systems with a TPM must also have the Trusted Computing Group compliant BIOS which allows for the required chain of trust for the initialization process before the operating system loads. Systems without a TPM do not require a TCG-compliant BIOS.

The system BIOS for TPM and non-TPM systems must support the USB mass storage device class, including reading small files on a USB flash drive in the pre-operating system environment.

You need to have a primary partition that is at least 1.5 gigabytes (GBs) in size and it needs to be marked as the active partition. This is used by bootmgr to boot the system. The boot files are also found on this partition as well.

You’ll need at least one other primary partition to be used for the operating system and for data storage.

BitLocker To Go – Practical Use

So in order to fully leverage a BitLocker To Go controlled device (one that has already been secured by BitLocker To Go) such as a USB key drive on a Windows 7 system all you really need to do is plug it into the system, access it, (if it is not set to autorun) and unlock the drive.

When the drive autoruns or when you first go to access it you’ll be prompted to unlock the drive for use.

[NOTES FROM THE FIELD] – Depending on your choice of options, you can select the checkbox that states “Automatically unlock on this computer from now on” which allows you to set it so that you can just insert the device and access it in the future without needing to provide the password for the device any more.

For consideration of this discussion we’ll assume that we’re leaving that checkbox cleared.

Once you enter the password you can access the data on the device in Windows Explorer or from a command window in much the same manner as any other fixed or removal data storage source.

Locking the drive again is as simple as removing it from the dock or port connection. Once the device is removed it is automatically locked and in order to access it again you’d need to dock or insert it and repeat the steps of entering the password to gain access.

On Windows XP and Vista systems BitLocker To Go provides the BitLocker To Go Reader so that USB devices encrypted with BitLocker To Go can be leveraged in at least read only mode.

When a BitLocker To Go secured device like a USB key is inserted into a system running Windows XP or Vista (and the device is enabled for autorun) the Autoplay window will show the BitLocker To Go Reader so that it can be launched allowing read only access to the data after submitting the password.

[NOTES FROM THE FIELD] – On the plus side, you can copy off files to the local system if you need to make edits to them. In order to save them you’d need to either email them to yourself or put them on another USB or flash device as you cannot write them back to the BitLocker secured device when leveraged by these legacy operating systems.

The CON part of that is this leads to the possibility of misplaced data of a sensitive nature as it could be left on the accessing system (not completely deleted after the edits e.g. left in the recycle bin, leveraging a foreign email system which holds SENT data, etc) or it accidentally continues to be stored on the other portable device longer than necessary.

The main advantage of BitLocker To Go comes from the security perspective of carrying sensitive data around; if the drives are lost or stolen the data is kept secured and inaccessible (when the unlocking password is unknown).

To the finder (or the thief) of the portable device their only use of it is to format it and use it as storage for their own data without any access to yours.

That’s a wrap for mysecurity comparison overviewof BitLocker and Encrypting File System (EFS) in Windows 7 – I hope you found it a good investment of your time.

In an upcoming article, I’ll provide a walkthrough of the steps to configure BitLocker on your Windows 7 system.

I am always looking forward to any feedback you have on this or any of the articles I have written so feel free to drop in some comments or contact me directly.

Additionally, I would welcome any suggestions topics of interest that you would like to see and based on demand and column space I’ll do what I can to deliver them to you.

MEMBER LOGIN:

BECOME A PETRI MEMBER:

About the Contributor

Jason Zandri is a Senior Technical Account Manager at Microsoft Corporation. He has worked as a technical trainer and consultant for a variety of corporate clients in Connecticut over the past ten years. He also has written a number of CompTIA and Microsoft prep tests for Boson Software as well as a number of published articles for 2000trainers.com, MCMCSE.com, Serverwatch.com and Certification Magazine. His professional CompTIA certifications include: A+ Certified Technician, I-Net+ Certified Technician, Server+ Certified Technician, Network+ Certified Technician, and Security+ Certified Professional. His professional Microsoft certifications include: MCT, MCP, MCP+I, MCSA, MCSA: Security, and MCSE.